Alicem: The origins of the French digital identity

image

Introduction

France will become the first European country to use facial recognition technology to give citizens a secure digital identity. Later this year, the French government will release an Android application called Alicem. For now, the application is tested internally by the Ministry of Home Affairs’ employees. For some reasons, I managed to get access to this application 😏. I was curious to know the origins of the project and the nationality of this technology. Spoiler: This is not French

Demo system

One of the first things I did during the analysis of the Android application was to retrieve the urls used

fs0c131y:~/fr.gouv.ants.alicem$ grep -rEo '(http|https)://[^/"]+' apktool.out/
https://alicem.demo.gemalto.com
...

The url, https://alicem.demo.gemalto.com, directly caught my eyes. It contains the word “demo”, it’s not a “gouv.fr” url and this is a subdomain of a private company called Gemalto. We can deduce that Gemalto, a private company, provided a “demo system” to the French Ministry of Home Affairs for the Alicem project. This is not a big surprise as their Digital Wallet product is on their website’s front page.

image

When we browsed the website, we get the “Utopia eGovernment Services” interface. Not the better title, I guess it’s a utopia more for the governments than the population itself… I noticed a lot of vocabulary related to cars: car rental, digital driving license, driver.

image

Their demo system was super easy to crash. The crash report revealed the version of Tomcat: 9.0.0M9. This version is super old, it has been released on 2016-07-12. Obviously, it contains a lot of vulnerabilities… After, exposing them on Twitter, the alicem.demo.gemalto.com domain has been taken down very quickly.

GTO Driver Apps

image

By searching “alicem.demo.gemalto.com” on Google, we obtained very interesting results. In the description of the first results, 2 Android apps called “GTO Driver Demo” and “GTO Driver Control” are mentioned. These 2 apps were available on the PlayStore but not anymore. Fortunately, thanks to apkpure, we can download these 2 apps:

In all versions of these 2 applications, trust me I checked all the versions, I have found the use of alicem.demo.gemalto.com. By looking at the release dates of these applications, we can deduce that the French Ministry of Home Affairs tested this demo system from 2016-04-26 to 2018-10-02.

Digital Driver License (DDL)

image

The description of the app is “Usage of this application is limited to DDL demo and DDL pilot holders.”. Hum ok, so Gemalto provided a DDL demo to the French Ministry of Home Affairs for Alicem. But what is DDL?

image

The simplest methods are always the best. By searching “Gemalto DDL” on Google, I found that DDL means Digital Driver license. On their website, Gemalto described DDL as

[…] a highly secure​ version of your physical driver’s license or ID card stored on your smartphone. It is not a replacement for the actual card, rather a supplement to it."

End of 2017, DDL has been on the news in the US:

Did I tell you that Gemalto received a $2 million grant from the US National Institute of Standards and Technology (NIST) to design and test a digital license in a two-year pilot program? According to their website,

The interoperable pilot will run over the course of two years in five US jurisdictions, and explore four main use cases, namely enrollment, updates to the document once it’s in the field, attribute sharing and law enforcement.

Money, Money, Money

How much does ANTS, an agency of the French Ministry of Home Affairs paid for Alicem? According to the public record ANTS made a deal the 14th December of 2016 for the beautiful sum of 2.847.919,39 euros. The contract is for a duration of 4 years + an option for an additional 18 months. But wait a minute, Gemalto announced 1 month before, the 14th November of 2016, that they received a $2 million grant from NIST, an agency of the US gouvernment, for his DDL pilot. They litteraly have been paid twice for the same job.

Conclusion

Don’t be fooled by the official communication you will see around the release of Alicem. Everyone will be proud to say “France is the first European country to use facial recognition technology to give citizens a secure digital identity” but the reality is different. This product has been made by Gemalto, a international company based in Netherlands, created and tested in the US for the last 2 years and financed by an agency of the US government.